cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
3860
Views
5
Helpful
7
Replies

FDM and NPS, test works but can't login

richard.priest
Level 1
Level 1

Hi,

 

just trying to setup external RADIUS authentication to our Firepower 2110 boxes, we don't have FMC so it's the on box FDM for config.

 

I've created a security group in AD and the specific policies in the NPS, with the attribute fdm.userrole.authority.admin added to the cisco-av-pair attribute.

 

When I test authentication I get a success notification

 

FDM_NPS_1.png

However when attempting to login I am uncusessful

FDM_NPS_2.png

Can anyone advise where I may have gone wrong in setting this up?

 

 

 

EDIT:

 

Checking the NPS logs I can see it's approved the access request

 

FDM_NPS_3.png

 

Many thanks

 

Rich

1 Accepted Solution

Accepted Solutions

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

Did you setup NPS to return the Cisco A-V pair "fdm.userrole.authority.admin"? (or .ro or .rw for read-only and read-write users) That's required to make it work. A simple "Access-Accept" won't do it.

I just tested and setup using ISE in my lab and that last bit was the key.

Reference the online help in your FDM:

https://<your FDM address>/#/help/t_configuring_external_authorization_aaa_for_firepower_device_manager_users.html

FDM User with External AuthenticationFDM User with External Authentication

FDM Authorization Result in ISEFDM Authorization Result in ISE

Yeah I did,  I don't have ISE unfortunately so am just using windows NPS

 

FDM_NPS_4.png

 

FWIW this is the attribute setting in the NPS policy

Hmmm, if NPS is returning that value in the Cisco AV pair it should work.

I'd check with a packet capture on the NPS server filtering to the FTD address. RADIUS is plain text so you should be able to confirm the value is being sent back to FDM in the RADIUS reply message.

that's a great idea!

 

I've actually figured it out / fixed it, but I'm going to wireshark anyway for curiosity/professional interests sake.

 

When I created the NPS policy I added the RADIUS attribute to the network policy rather than the connection policy.

 

I do find it vexing that when testing FDM reported a success even though it wouldn't work mind.

 

For any future google searchers, set it in here:

FDM_NPS_5.png

 

Really appreciate the help!

 

Cheers

 

Rich

You're welcome. The RADIUS test is just basically checking shared secret and if the device is valid on the RADIUS server.

I agree it would be useful if it actually processed the full authorization request and checked the result.

Seeing the actual packets often helps us cut through what we think is happening vs. what's actually going on. Back when I was learning ISE seeing the actual attributes and their values was my "ah ha" moment for grokking the computer science term "A-V pair".

This help me thanks-

Did you manage to authenticate users for ssh connection in same way?

 

I did it. Same logic applies only, for ssh service-type need to be set to administrative.

and don't use "." in username.

cheers

 

Review Cisco Networking for a $25 gift card